[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh FIPS support


Glad to know that it is working in RHEL8.
I will check the openssl versions included in that package.

But here I'm trying to build everything in Windows using Visual Studio 2017.
Used the following sources to build the libraries.

Openssl-fips (2.0.16)(latest available in openssl site):
https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
Openssl (1.0.2):
https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz

Both the above can be compiled together. But it won't support libssh 0.9.4.
It requires openssl 1.1.1

openssl (1.1.1) : https://www.openssl.org/source/openssl-1.1.1g.tar.gz

Now this version of openssl (1.1.1) won't compile using Openssl-fips
(2.0.16)

That is where I'm stuck.

--
Jijo


On Wed, May 13, 2020 at 8:06 PM Jakub Jelen <jjelen@xxxxxxxxxx> wrote:

> On Wed, 2020-05-13 at 19:19 +0530, jijo thomas wrote:
> > I'm confused now. Following is from libssh release note.
> >
> > "When libssh is built against a recent version of OpenSSL we will use
> > the
> > new APIs for KEX, DH, KDF and signatures. This is especially required
> > for
> > FIPS compatibility"
> >
> > So the above cannot be achieved with any released versions of
> > openssl-fips?
>
> I assume you are referring to ubuntu package called openssl-fips which
> is providing openssl fips module. I don't know if they did release any
> openssl-fips package that would support SSH KDF -- I assume not (but
> you should consult your vendor).
>
> In RHEL8, normal openssl package is a FIPS module supporting all above
> and therefore the fips compliance can be achieved.
>
> Regards,
> Jakub
>
> > --
> > Jijo
> >
> > On Tue, May 12, 2020 at 7:56 PM Anderson Sasaki <ansasaki@xxxxxxxxxx>
> > wrote:
> >
> > >
> > > ----- Original Message -----
> > > > From: "jijo thomas" <jijo7thomas@xxxxxxxxx>
> > > > To: libssh@xxxxxxxxxx
> > > > Sent: Tuesday, May 12, 2020 3:44:58 PM
> > > > Subject: Re: libssh FIPS support
> > > >
> > > > Latest available openssl FIPS module is 2.0.16 which is
> > > > compatible with
> > > > openssl 1.0.2
> > > > But libssh 0.9.4 require openssl 1.1.1
> > > >
> > > > I don't think openssl 1.1.1g could be compiled with openssl-fips-
> > > > 2.0.16
> > > (at
> > > > least I was not able to do that)
> > > >
> > > > What am I missing here, to compile libssh with FIPS support in
> > > > windows?
> > >
> > > A FIPS certified module is not something you can compile in your
> > > machine.
> > > The module (which is in this case a binary) needs to be tested by
> > > an
> > > accredited laboratory and approved by NIST, which is an expensive
> > > and
> > > usually long process.
> > > What you are missing is the OpenSSL 1.1.1 certified module for
> > > windows,
> > > which probably doesn't exist (I'm not aware of any).
> > >
> > >
> > >
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
>
>

Follow-Ups:
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
References:
libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportAnderson Sasaki <ansasaki@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org